My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2017-07-06

Virus description added:


  • bc202804250692ffa889d96f056cc86422efbeb1

Detection of the program platform (SDK) Excelliance, embedded into Android games and applications by software developers. It is designed to optimize the update process, but it can operate as a downloader Trojan and download other programs.

Android.DownLoader.558.origin is a JAR package named main2.jar. It is encrypted and stored in the directory /assets along with other program sources it is embedded into. During the first launch of a program or a game, this package is decrypted and run. After that, it starts operating on its own every time the mobile device connects to the Internet.

Android.DownLoader.558.origin tracks a network connection state, and, on each Internet connection or disconnection, it checks availability of the command and control server http://sdk-o****** When addressing it, the Trojan sends the following requests:


As a response, the Trojan can get a command to download DEX, APK and ELF files.

Launch of code from the DEX files is executed automatically using DexClassLoader, which is located in the main application (Android.RemoteCode.81.origin).

Once APK files are launched, a standard system dialog box is displayed to user. However, if the device has the root access, they are launched automatically.

Rights for downloaded APK and ELF files are assigned via the system tool chmod.

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies